Copyright IDC. Reproduction is forbidden unless authorized. All rights reserved.

IT Consumerization: Implications for Enterprise Mobile Security

Peipei Wu (吳乃沛)

Market Analyst,

Software & Services,

Enterprise Solutions Group,

IDC Taiwan

Email: pwu@idc.com

Aug-12 © IDC

Which is your view on IT

Consumerization?

1. It‟s mostly a hype

2. It‟s somewhat important and

has some relevance to my

business

3. It may fundamentally change

the way IT is deliverd/procured

and could seriously change

the use and management of

IT in my business

2

After Lunch Poll

IT Consumerization is the set of changes

resulting from enterprise workers bringing

their own devices and using Web 2.0

(social) applications in the workplace.

Aug-12 © IDC

Session agenda

• Issue 1 - The Mobile Worker

• Issue 2 - Devices

• Issue 3 - The OS

• Issue 4 - Mobile Applications for Business

• The Mobile Security Market

• Complementary Security

• Impact & Recommendations for Enterprise

3

Aug-12 © IDC 4

The Rise in : the Mobile Worker

838.7m The number of

employees in Asia-

Pacific (ex Japan)

that will be classed

as MOBILE

WORKERS

by 2015

37.9% This represents

almost 40% of the

Asia Pacific

employee base by

2015

3 types 1. Office based mobile

508.6m

2. Non-office mobile

317.8m

3. Home-based mobile

12.3m

Source: IDC‟s Worldwide Mobile Worker Population Forecast 2011-2015

Aug-12 © IDC 5

The Rise in the Mobile Worker : Drivers

UC&C now more deeply

integrated into mobility

Home-based

telecommuters in

certain markets

Mobility & flexibility

become employee

retention strategies

Lower cost smartphone devices and

data plans available in price-sensitive

markets

The consumerisation of IT and growth

in Tablet shipments will spur increased

focus on mobility

Drivers

Aug-12 © IDC 6

The Rise in the Mobile Worker : Implications

Consumerisation of IT

is challenging

organisations

The workplace

becomes more flexible,

more mobile

Productivity and

Employee satisfaction

are expectations

Concerns centre around security The „soft‟ factors become

significantly harder Implic

ations

Aug-12 © IDC 7

The Rise in : Mobile Devices

1.15bn The number of

mobile phones

shipped in Asia-

Pacific by 2016

540.0m SMARTPHONES

shipped as part of

the 1.1bn

1 in 2 Of all phones shipped

in Asia-Pacific by

2016 will be

SMARTPHONES

Source: IDC‟s Worldwide Mobile Phone Shipments 2012-2016, Worldwide Tablet Shipments 2012-2016

0

10

20

30

40

50

2010 2011 2012 2013 2014 2015 2016

Tablet Shipments APeJ 2010-2015 (unit shipments M)

December 2011 Forecast June 2012 Forecast

Aug-12 © IDC 8

ARM PDA

Feature Phone

Smartphone

X86 / Intel

Desktop PC

Notebook PC

Mira Tablet PC

Netbook

Desknote Media Tablet

The Technology Catalyst Form factors breaking down the distinctions among devices

Aug-12 © IDC 9

Source: IDC, June 2012

The Rise in : Mobile OS

0%

10%

20%

30%

40%

50%

60%

Android iOS Windows Mobile

BlackBerry Linux Symbian

2011

2016

Worldwide Smartphone Shipment Share by OS, 2011-2016

A single OS mobility platform will be

less likely for APeJ organisations in

future.

OS fragmentation will create greater

security risks.

Security point solutions will not be

enough to protect the enterprise.

62.5% 36.5% iOS

Android

BlackBerry

WW tablet Shipment Share by OS, 2012

Aug-12 © IDC

A Future Business Architecture?

Data

Meta Platform

Windows

OS

MacOS Linux

Android

iOS

Blackberry

Windows Phone

Symbian

Smartphone

iOS

Android Linux

Media Tablet

Linux

Android

eReader

Synchronization

PMPs

iOS

Linux

Android

Content Services

Other Services (Security, Storage, etc.)

Aug-12 © IDC

The Rise in : Mobile Applications

Source: IDC, Worldwide/U.S. Mobile Applications, Storefronts and Developer Revenue 2010-2014 Forecasts (IDC #225668, December 2010)

WW Mobile App Download Forecasts

11

Source: IDC, 2012

Aug-12 © IDC 12

The Rise in : Mobile Applications

The Top 5 Mobile Business Applications expected deployment 2011-2013

0% 20% 40% 60% 80% 100%

Email

IM

UC&C

SFA/CRM

Social Business

Now within 12 months 13-24 months

Organisations are increasingly taking their communications and data

activities into the mobile environment … in many courses sourced from

the Cloud

Aug-12 © IDC

Mobility Will Increase the Complexity of IT Security

13

Traditionally IT

Assets Resided

Here – Inside the

Wall

With Mobility They

now Reside

Everywhere

Aug-12 © IDC

The Current Mobile Security Landscape

PC

Adjacency

Architecture

Play Hardware

Based

Stand

alone

Pure Play

Mobile

SW/SV/

Device

Example Set

Aug-12 © IDC

Mobile Device Management is designed to enable IT Managers to track and

manage the entire inventory and assets of a mobile fleet (hardware and

software) typically through a centralized online management tool.

Mobile Device Management (MDM)

Includes lock, wipe, disable functionality (eg. Phone or specific attributes

such as cameras), OTA, remote diagnostics, remediation

Typical solutions are premised based however

Cloud / hosted solutions starting to become more common

Device players partnering / developing stronger security

eg Samsung and Sybase or RIM‟s expanded security solution

Stand alone vendors now partnering with Service Providers

BYOD now also bringing partioning of personal and corporate data

Starting to see selective data wipe capability

Aug-12 © IDC

MDM is becoming

Mobile DATA Management

Enterprises are starting to look beyond traditional device management

As smart billing enables greater use of applications and data sharing across

multiple devices, an integrated security management environment becomes

critical.

Multiple form factors, multiple OS, multiple applications are increasingly

interacting with a Cloud delivery environment

Device management is morphing to

become mobile DATA management

Vendors are beginning to adapt MDM

solutions – eg RIM with Blackberry

Balance & Blackberry Fusion

New entrants to market are focusing

explicitly on mobile data

management – eg LetMobile

Aug-12 © IDC

Mobile Security

Mobile security is defined as products designed or optimized to provide

security specifically for devices within the mobile environment, including

converged mobile devices, mobile phones, handheld devices, and mobile

laptops.

Mobile Secure Content Threat Management – eg. Virus, spyware, spam,

hacking

Mobile threat management

Mobile data encrypted DLP

Mobile VPN

Mobile Security Vulnerability Management

IAM

Anti-Malware, Intrusion prevention

Aug-12 © IDC

Mobile Security :

Breakdown by Solution 2010 & 2015

24.3%

19.2%

30.8%

10.8%

9.9%

5.0% 2010

MTM

IPC

VPN

MIAM

MSVM

MOS 25.4%

24.8% 23.3%

12.2%

10.3%

4.0% 2015

Source: IDC Worldwide Mobile Security 2011

MTM : Mobile threat management

IPC: File, full disk, or application encryption, data

loss prevention technology

VPN : Infrastructure and clients for mobile

MIAM : Mobile identity and access management

MSVM : Mobile security & vulnerability

management

MOS: Mobile Other Security : emerging solutions

eg. anti-theft, anti-fraud

Aug-12 © IDC

Complementary Technologies

GPS

Contextually aware security

Policies can be via device location.

Eg. Tablet with clients‟ health information moves beyond hospital

grounds prompting intervention

Virtualization

Organisations beginning to run multiple O/S on device

One for business, one for personal

More amenable to open O/S such as Android

VDI seen as an acceptable workaround for device security

Aug-12 © IDC

Unbridled, Consumerization Will Lead to the IT Department Losing Control

Time wasted

Lack of strategy = ITD downfall

Loss of flexibility

You can be outsourced

Dealing with the unknown

Leaked data and lost assets

Skills & management issues

An asset management nightmare

Security uncertainties

Dropped SLAs

Infr

astr

uctu

re

IT d

ep

art

me

nt

Op

era

tio

ns

Aug-12 © IDC

Recommendation #1: Asset Management Integrate Consumerization Within Your Asset Life Cycle

Take consumerization into account within the

asset management process:

– Plan/acquire/deploy/maintain/retire

Segment end users into key categories or profiles:

– Task workers/power users/mobile

workers/senior execs

Limit the number of "authorised devices":

– Laptops and tablets: latest Windows or iOS

only

– Smartphones: e.g., Android, iOS, or RIM

only

Limit authorised Web 2.0 applications:

– e.g., Facebook, LinkedIn, Twitter,

YouSendIt, and Skype only

Aug-12 © IDC

Recommendation #2: Security Processes Automate Security Features

Automate features within the consumer devices:

Host firewall, intrusion detection, and protections

End-point feature control

Strong authentication

On-air device lock and wipe

Automatic encryption

Antivirus, antimalware + automated patch management

Monitor activities of consumer devices

Longer term: assess client or apps virtualization as a possibility

Aug-12 © IDC

From Information to Intelligence

23

Mobile

Devices

& Apps

Mobile

Broadband

Cloud

Services

Big Data/

Analytics

Social

Business

2011

PC

LAN/

Internet

Client-

Server

1986

Millions of Users

Thousands of Apps

Hundreds of Millions of Users

Tens of Thousands of Apps

Billions of Users

Millions of Apps

Trillions of “Things”

Aug-12 © IDC

Recommendation #3: Support Processes Set Up Consumerization as Another "Class of Service"

Establish a consumerization strategy

Map in-house skills to it:

Partner with the relevant equipment and SW vendors

Identify gaps

Plan training and accreditations

Communicate with your end users:

What they can expect of the IT department …

… but also what the company can expect of them!

Set expectations in terms of SLAs

Within the IT department, ensure the following processes recognize

"consumerized devices" as another class of service (profile):

Incident, change, release, and configuration management

Start to regain control

Aug-12 © IDC

Intelligent Security Requires an Organizational Ecosystem

25

Leader Key Issues Tone and Roles

CEO Institution relevance

Market performance

Executive talent

Investment vs. Risk

Industry partnership; private sector role

Talent acquisition and education

CFO Efficient capital

Financial performance

Risk, including cyber

Security investment

Pay now/pay later trade-off

CISO ROI

COO Operational excellence

Complexity, cost of operation

Efficient/effective cyber-risk program

Uncompromised management

CTO Utilization

Infrastructure partners

Critical infrastructure protection

Facilities, storage, network, compute

Cyber-risk ecosystem

CIO

Systems integration

IT talent and ecosystem

Data and software governance

All channels

Software assurance

Data protection

LOB Executive IT on demand

Cost and excellence

Core Cyber-risk requirements

“Customer” protection strategy

Aug-12 © IDC

Workplace 2013?

Automate Security Features

Asset Management

Host Firewall Virtualization

Monitoring IDS

Support Processes Expectation Setting

Training

Communication Partnerships

Support Life Cycle

Map Skills to Policy & Requirements

Accreditations

Set up "Consumerization"

as Another Class of Service

Security Processes

Audience

Segmentation

Authorised Device

Catalogue

Limit Web 2.0

List

Integrate Consumerization

Into Your Asset Life Cycle

DLP

Configuration Mgmt

You cannot resist consumerization, you can only contain it.

Out of control, consumerization is toxic to the business. Under control, it is a powerful tool.

You can take steps to control consumerization and make it work for you.

USER-CENTRIC

COMPUTING Virtual Desktops Consumerised

Device (Choice) Mobility IT as a Service

Aug-12 © IDC 27

Don't Get Consumed by Consumerization

CIOs and vendors must focus on three processes

to remain in control.

Aug-12 © IDC

Takeaways: Definition, Impact, and Recommendations

Definition

Consumerization is the

set of changes resulting

from enterprise workers

bringing their own

devices and using Web

2.0 social applications in

the workplace.

Impact

The impact of

consumerization will be

broad and deep:

Infrastructure

Operations

The IT department

Consumerization can lead to

outsourcing.

28

Recommendations

Focus on three core areas,

starting now:

Asset management

Security processes

Support processes